gov.sg logo
Back to all posts

How SMS Works

January 10, 2025
How SMS Works

SMS (Short Message Service) is a staple of modern communication, used daily by billions of people worldwide. It is a key channel for delivering everything from personal messages to two-factor authentication (2FA) codes and critical government updates. But while SMS is quick and convenient, its underlying technology is outdated and lacks robust security. In this post, we'll explore how SMS works, why it's not very secure, and what you can do to protect yourself.

How SMS works

At its core, SMS is a text-based communication method that works over cellular networks. Here's a step-by-step look at what happens when you send a text message:

  1. Sending the Message: When you type and send an SMS, your phone converts the text into a signal and transmits it to the nearest cell tower.
  2. Routing the Message: The cell tower forwards the signal to a Short Message Service Centre (SMSC), which acts as a hub for processing and managing SMS traffic.
  3. Delivering the Message: The SMSC checks the recipient's phone number, determines their current location, and routes the message to the corresponding cell tower. If the recipient's phone is offline, the SMSC stores the message and retries later.
  4. Receiving the Message: The recipient's phone receives the text, and the process is complete.

This system was designed for reliability and simplicity rather than security. While efficient, it has limitations that make it vulnerable to exploitation.

Why SMS is not secure

Several factors contribute to SMS's lack of security:

  • Plaintext Transmission: SMS messages are sent in plaintext, meaning they are not encrypted. This makes them easy to intercept during transmission, especially on unsecured networks.
  • Sender ID Spoofing: The Sender ID, which is the name or number that appears in your inbox, can be faked. Cybercriminals exploit this weakness to impersonate trusted entities, such as banks or government agencies.
  • No Authentication Protocols: SMS lacks built-in mechanisms to verify the sender's identity or the message's integrity. This allows fraudsters to send convincing but fraudulent messages.
  • Susceptibility to Phishing: SMS phishing, or "smishing," is a common tactic used by scammers. By posing as trusted entities, they trick people into clicking on malicious links or sharing sensitive information.

Real-Life impact

The consequences of SMS vulnerabilities can be severe. In Singapore, cases of smishing have led to financial losses and data breaches. For example, scammers might send a fake SMS claiming to be from your bank, asking you to "verify" your account by clicking a link. Because the Sender ID appears legitimate, many fall victim. SMS's vulnerabilities highlight the need for more secure communication channels, especially for critical information. Understanding these risks is the first step to staying safe.